Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
6. Nine Structures
1. Boot blocks
• First 1024 bytes of volume
• Typically empty on modern systems
2. Volume Header and Alternate Volume Header
•Located 1024 bytes from the beginning of the
volume
•Information about the volume, including the
location of other structures
9. Mac Timestamps
•All in local time
•HFS+ Volume
•Create date, modify date, backup date,
checked date
•File
•Access, modify, inode change, inode birth
time (file creation)
13. Catalog File
• Details hierarchy of files and folders in the system
• Each file and folder has a unique catalog node ID
(CNID)
14. Attributes File
• Optional
• Used for named forks
• Additional metadata assigned to a file
• Like Microsoft's Alternate Data Streams
• Stores origin of files from the Internet, and tags
like "Green" and "Important"
17. Spotlight
• Metadata indexing and searching service
• Indexers examine the content of files to find
keywords
• Some index entire content, others only import
metadata
18. Spotlight
• Can be used to search a live system
• Not much use for a static acquisition
• Indexes are deleted when a file is deleted
• No tools are available to parse the data stored
by the Spotlight indexer once it's extracted
from a drive image
19. Managed Storage
• New in Mac OS X Lion (10.7)
• Allows apps to continuously save data
• Uses daemon "revisiond"
• Saves data on volumes under the "hidden"
directory
• /.DocumentRevisions-V100
20. Capturing db Files
• Copy them to another folder
• Originals are in use and won't open
• db.sqlite shows files used with timestamps
24. File System Layout
• Four domains for data classification
• Local
• System
• Network
• User
25. Local Domain
• Applications and configurations that are shared
among all users of a system
• Administrative privileges required to modify
data in this domain
• These directories are in the local domain:
26. System Domain
• Data installed by Apple, and a few specialized
low-level utilities
• Most useful domain for intrusion investigations
because it contains the system logs
• Includes all the traditional Unix structures, all of
which require administrative privileges to
modify
• /bin, /usr, /dev, /etc, and so on, also /System
27. Network Domain
• Applications and data stored here is shared
among a network of systems and users
• In practice, rarely populated with data
• Located under the /Network directory
28. User Domain
• Primary source of data for most other
investigations
• Contains user home directories and a shared
directory
• All user-created content and configurations will
be found under /Users
• High-privilege and Unix-savvy users may break
this model
29. MacPorts Package Manager
• Lets you add BSD packages to your Mac
• Very useful
• Requires command-line developer tools
• Link Ch 13b
33. Inside the Bundle
• Right-click, Show Package Contents
• Subdirectories
• MacOS, Resources, Library, Frameworks,
PlugIns, SharedSupport
• Developers can put anything in these directories
• VMware Fusion's Library folder contains command-
line utilities to manage the VMware hypervisor
35. Package Contents
• Contains additional metadata
• Time and date stamps show when the app was
installed
• A good place to hide data
36. /Developer
• Used by XCode, Apple's development
environment
• Until recently, all development tools, SDKs,
documentation, and debugging tools were here
• Later versions of XCode moved the tools
• This directory may still be present on some
systems
37. /Library
• /System/Library
• App settings for the operating system
• /Library
• Settings shared between users
• /Users/username/Library
• User-specific settings
38. Application Support
• /Library/Application Support
• /User/username/Library/Application Support
• Settings, caches, license information, and
anything else desired by the developer
45. WebServer
• /Library/WebServer
• Apache, installed on every copy of Mac OS X,
is started when a user turns on Web sharing
• This folder is Apache's Document Root
46. File Types
• Used by nearly every application
• Property lists (.plist)
• Tools: plutil on Mac, "plist Explorer" on
Windows
• SQLite databases
• Tools: Firefox Plugin SQLite Manager,
sqlitebrowser
48. Traditional Unix Paths
• Some investigations are based entirely on data
found here, such as log files
• /System directory is structured similarly to the
/Library directory
• Locations where applications maintain
persistence
• Requires administrator privileges to create or
modify files
49. Artifacts
• System logs in /var/log
• Databases in /var/db
• Records of printed data in the CUPS log
• System sleep image
• Software imported using MacPorts or Fink, or
compiled in place, may be in /opt
53. User and Service
Configuration
• Apple uses LDAP for enterprise management
and Directory Services for local user
management
• Directory Services doesn't use the traditional
Unix files /etc/passwd and /etc/groups
• Data in SQLite databases and binary-formatted
property lists
54. The Evidence
• Directory Service data is in
/private/var/db/dslocal
• Databases (or nodes) for the local system are in
the subdirectory nodes/Default
• My password hash is on the next slide
• More info at links Ch 13c and 13d
58. sqlindex
• In /private/var/db/dslocal
• Maintains creation and modification time for the
plist files in the directory structure
• And information on the relationships between
the data
• Automatically backed up to /private/var/db/
dslocal-backup.xar (a gzip tar file)
59. Analysis of sqlindex
• Shows when a share was created
• Whether an account existed,and its privilege
level
61. Sharepoints
• Status of the share for
• AFP (Apple Filing Protocol)
• SMB (Server Message Block)
• FTP (File Transfer Protocol)
• Sharepoint names and share path
• When the share was created
62. Trash and Deleted Files
• Files deleted from USB sticks go into a Trash
folder on the stick, labeled by user ID, like
• /Volumes/USBDRIVE/.Trashes/501
63. System Auditing,
Databases, and Logging
• Open Source Basic Security Module (OpenBSM)
• Powerful auditing system
• Logs:
• File access
• Network connections
• Execution of applications and their command-
line options
64. OpenBSM
• Default configuration doesn't save detailed
information and is of limited use for IR
• Configuration files in /etc/security
• Primary file is audit_control
65. OpenBSM
• This configuration will log everything for all
users, and
• Login/logout, administrative events,
processes, and network activity
66. Helper Services
• Run in background
• Track events or common data
• Maintain state with SQLite databases or
property list
• Examples:
67. Airportd
• Runs in an application sandbox
• Configured in /usr/share/sandbox